Security and WAP Gateways

Article
09/14/2006

A Wireless Application Protocol (WAP) gateway serves as an intermediary, decrypting the user's SSL connection and re-encrypting the information to send it to the mobile device.

Note For maintaining protection for the data transfer channel, WAP relies on a protocol called WTLS (Wireless Transport Layer Security).

In a browser environment, when you connect to a site using SSL/TLS, your browser automatically verifies that the domain part of the URL matches the domain in the X.509 certificate that the HTTPS server presents when you connect to it.

SSL certificates are tamper evident because the cryptographic signature is checked against the root certificates of the major certificate authorities. This check assures that the requesting party is connected to the right host and helps protect you from attack from an intermediary.

Note Many WAP gateways do not perform this check or, if they do, do not pass information about mismatches back to the user.

Wireless carriers help provide some security between the wireless device and the base station and across the physical network connecting base stations and switching centers. But a carrier's security measures end with the network and do not provide end-to-end, cross-platform security for any wireless device. For example, WAP Internet access introduces a point of potential vulnerability where the Wireless Transport Layer Security (WTLS) (which helps to maintain a restricted connection between the mobile device and the WAP gateway) changes to a SSL connection between the WAP gateway and the Web server. Some corporations are moving to enterprise control of their gateways as a means of assuring that the gateways are trusted.

Additional security recommendations can be found in the Securing Applications and the ASP.NET Web Application Security sections of the .NET Framework SDK documentation.

Share via

Security and WAP Gateways

See Also

Additional resources